ASA5510 with VPN and hairpinning

Unanswered Question
Aug 1st, 2008
User Badges:

I have an ASA5510 I want to place in my network for firewalling and VPN purposes. It is replacing the Cisco 2821 router using the VPN and firewall modules.

I would like to "hairpin" VPN users and restrict them to a subset of my outside IP addresses; i.e. they connect to the outside port on 64.244.xx.2 /25 (split tunneling is disabled), but to the outside world they then have an outside IP address of 64.244.xx.96-.126.

Is this possible and can I also allow them access into my internal network at the same time?

Or should I set up separate VPN groups; one that gets internal access and an internal IP or /24, and one that is hairpinned out to the Internet using routeable IPs?

What is the best way to do this? I have been going through every option under the ASDM, but to no avail. I can provide my current config if needed.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
acomiskey Fri, 08/01/2008 - 17:21
User Badges:
  • Green, 3000 points or more

Hairpinning is no problem, should be your solution. Assuming vpn client subnet pool is

same-security-traffic permit intra-interface

global (outside) 10 64.244.xx.96-64.244.xx.126

nat (outside) 10

Then configure your vpn access to inside as usual.

access-list nat0 extended permit ip any

nat (inside) 0 access-list nat0

Also be sure to disable split tunnel.

kerryjcox Fri, 08/01/2008 - 18:16
User Badges:

Excellent. I will be configuring this tomorrow for all the employees. I'll give your recommendations a go. Sounds like a valid solution. Will let you know the outcome.

Much appreciated.

kerryjcox Sat, 08/02/2008 - 21:16
User Badges:

Thanks much. I attempted to place the 5510 in front of my 2821 late this evening and had no luck getting any sort of Internet connection out. Something must be foobar with my new config. Was not even able to attempt a hairpin VPN connection as Internet connectivity was down.

Am attaching configs for both the 2821 and the 5510 along with my proposed changes.

Maybe someone can see what I was doing wrong.

acomiskey Sun, 08/03/2008 - 12:19
User Badges:
  • Green, 3000 points or more

I think you're missing a route on your 5510.

route inside

kerryjcox Sun, 08/03/2008 - 13:48
User Badges:

That makes sense. I've been looking over both configs and that looks right.

I'll give it another shot tomorrow evening.

I am attaching a copy of the Visio diagram showing how I would like it to be.

Your comments are much appreciated. Thanks for the clarification.

acomiskey Sun, 08/03/2008 - 16:50
User Badges:
  • Green, 3000 points or more

You also are missing something like this...

global (outside) 1 interface

nat (inside) 1 0 0

kerryjcox Mon, 08/04/2008 - 14:08
User Badges:

Adding this route to the 5510 yields this error:

firewall(config)#route inside

ERROR: Cannot add route, connected route exists

All the routes appear to be good and I do not see what the issue can be.


global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1

static (inside,outside) esva.external esva.internal netmask

static (inside,outside) mediamail.external mediamail.internal netmask

access-group outside_access_in in interface outside

route outside 1


acomiskey Mon, 08/04/2008 - 16:46
User Badges:
  • Green, 3000 points or more

Could you post your visio as a jpeg?

kerryjcox Tue, 08/05/2008 - 07:17
User Badges:

I also made some changes to my ASA5510 last night that I was hopeful would work.

Here is the current ASA5510 config with the proper routes and NAT'ing. Again, it's IP is as the management IP.

Users were still NOT able to get out to the Internet.

I did a "sho ip routes" on both the 2821 and the 5510 when they were in-line and though they could talk to each other and the routing tables looked good, I could not get out on the Internet.

Here are the commands I issued to the 2821 after I placed the 5510 in-line.

conf t

interface GigabitEthernet0/0

no ip address

ip address

no ip route name XO-ROUTER

ip route name ASA5510

no ip nat source static

acomiskey Tue, 08/05/2008 - 07:30
User Badges:
  • Green, 3000 points or more

Fix your mask if it is /25.

interface Ethernet0/0

description Outside interface

nameif outside

security-level 0

ip address

Second, your nat (inside) should reflect internal network you wish to nat, not the external vpn network.

global (outside) 1 interface

global (outside) 10

nat (inside) 1 0 0

nat (outside) 10

kerryjcox Tue, 08/05/2008 - 08:16
User Badges:

Dang. You're right....

I guess being the only person in the office who does Cisco is a distinct disadvantage. It helps to have some extra eyes take a look.

I'll make these changes and let you know how it goes.

Thanks much.


This Discussion